CVE-2026-35572 Overview
ChurchCRM, an open-source church management system, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 6.5.3. The vulnerability allows attackers to trigger server-side HTTP/HTTPS requests to arbitrary hosts by supplying a crafted URL in the Referer request header. When exploited, the server makes outbound requests to attacker-controlled domains, which can be leveraged for internal network reconnaissance, access to internal services, or data exfiltration.
Critical Impact
Authenticated attackers with high privileges can abuse this SSRF vulnerability to probe internal network infrastructure, access internal services not exposed to the internet, and potentially exfiltrate sensitive data through out-of-band communication channels.
Affected Products
- ChurchCRM versions prior to 6.5.3
Discovery Timeline
- 2026-04-07 - CVE-2026-35572 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35572
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The ChurchCRM application fails to properly validate or sanitize the Referer HTTP request header before using its value to make server-side HTTP/HTTPS requests. When an attacker supplies a malicious URL in the Referer header, the application server processes this value and initiates an outbound request to the specified domain.
The vulnerability was confirmed via Out-of-Band Application Security Testing (OAST), which demonstrated that the server successfully made requests to attacker-controlled infrastructure. This type of SSRF can be particularly dangerous in cloud environments where internal metadata services may be accessible, or in networks where the vulnerable server has access to internal resources not directly exposed to attackers.
Root Cause
The root cause of this vulnerability is improper input validation of the HTTP Referer header. The application trusts user-supplied header data and uses it to construct outbound HTTP requests without implementing adequate URL validation, allowlist checks, or request restrictions. This allows attackers to redirect server-side requests to arbitrary destinations.
Attack Vector
The attack is network-based and requires the attacker to have high-level privileges (authenticated access with elevated permissions). The attacker crafts an HTTP request with a malicious Referer header containing a URL pointing to their controlled infrastructure or internal network targets.
When the server processes this request, it extracts the Referer header value and makes an outbound HTTP/HTTPS request to the specified URL. This can be exploited to:
- Probe internal network services and infrastructure
- Access cloud metadata endpoints (e.g., AWS metadata at 169.254.169.254)
- Bypass firewall restrictions by using the server as a proxy
- Exfiltrate data through DNS or HTTP callbacks to attacker-controlled servers
The vulnerability was verified using OAST techniques, confirming successful outbound connections to attacker-specified domains. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35572
Indicators of Compromise
- Unusual outbound HTTP/HTTPS requests originating from the ChurchCRM server to external or internal IP addresses
- DNS queries from the web server to unexpected or suspicious domains
- Network connections to cloud metadata service endpoints (e.g., 169.254.169.254)
- Anomalous Referer header values containing internal IP addresses, localhost references, or suspicious external URLs in application logs
Detection Strategies
- Implement network monitoring to detect outbound connections from the ChurchCRM server to unexpected destinations
- Review web server and application logs for requests with suspicious Referer header patterns
- Deploy Web Application Firewall (WAF) rules to detect and block SSRF attack patterns in HTTP headers
- Use SentinelOne Singularity XDR to monitor for anomalous outbound network behavior from web application servers
Monitoring Recommendations
- Enable detailed logging of all HTTP headers processed by the ChurchCRM application
- Monitor egress traffic from the web server for connections to internal network ranges or cloud metadata endpoints
- Implement alerting for outbound requests to newly observed domains from the application server
- Configure network segmentation alerts for unauthorized cross-segment communication attempts
How to Mitigate CVE-2026-35572
Immediate Actions Required
- Upgrade ChurchCRM to version 6.5.3 or later immediately
- Review application logs for evidence of exploitation attempts
- Implement network-level controls to restrict outbound connections from the ChurchCRM server
- Consider placing the ChurchCRM server behind a WAF with SSRF protection rules enabled
Patch Information
The vulnerability is fixed in ChurchCRM version 6.5.3. Organizations should upgrade to this version or later to remediate the vulnerability. The security advisory and patch details are available in the GitHub Security Advisory for GHSA-44x3-28jv-mrwq.
Workarounds
- Implement egress filtering to restrict outbound HTTP/HTTPS requests from the web server to only necessary destinations
- Deploy a reverse proxy with URL validation to sanitize the Referer header before it reaches the application
- Use network segmentation to isolate the ChurchCRM server and limit access to internal resources
- Temporarily restrict high-privilege account access if immediate patching is not feasible
# Example iptables rules to restrict outbound HTTP/HTTPS from web server
# Allow only necessary outbound destinations
iptables -A OUTPUT -p tcp --dport 80 -d trusted-domain.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -d trusted-domain.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
